OpenSER+Radius全攻略

最新推荐文章于 2024-05-26 14:34:42 发布
最新推荐文章于 2024-05-26 14:34:42 发布
阅读量1.3k 收藏
点赞数
文章标签: string insert mysql testing integer user

freeradius需要openssl库,在quicklinux中已经预装好openssl-0.9.7a-46.i686

如果mysql不是安装在/usr/local/目录下需要做个连接:
# ln -s /opt/lapmcp/apmc/ /usr/local/mysql

首先安装freeradius,并在不连接mysql的情况下测试:
# cd /home/zyq/tempfile/OpenSER_ins/AAA
# tar -xzvf freeradius-1.1.4.tar.gz
# cd freeradius-1.1.4
# ./configure --with-rlm-sql-lib-dir=/opt/lapmcp/apmc/lib/mysql/ --with-rlm-sql-include-dir=/opt/lapmcp/apmc/include/mysql/
# make
# make install WITH_MYSQL=yes

配置freeradius;
1) 修改 clients.conf
# vi /usr/local/etc/raddb/clients.conf
client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other
} //默认已有。这里secret = testing123 表示从127.0.0.1这个客户端连接radius服务所需要用的密码。

2) 修改 naslist ,加入:
# vi /usr/local/etc/raddb/naslist
localhost local portslave
//默认已有

3) 编辑 users ,加入用户: (这个用户是保存在文本文件里的,做测试用)
# vi /usr/local/etc/raddb/users
在例子中的steve这段下面加入
hefish     Auth-Type:=local, User-Password == "123456"
           Service-Type = Framed-User,
           Framed-Protocol = PPP,
           Framed-IP-Address = 192.168.137.2,
           Framed-IP-Netmask = 255.255.255.0
在例子Jone Doe这段下面加入
powerlift Auth-Type := Local, User-Password == "ilovelinux"
          Reply-Message = "Hello, powerlift!"
保存退出。

4)执行测试
# /usr/local/sbin/radiusd -X
然后另开一个终端,测试:
# radtest hefish 123456 localhost 0 testing123
返回:
Sending Access-Request of id 11 to 127.0.0.1 port 1812
        User-Name = "hefish"
        User-Password = "123456"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=11, length=44
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Address = 192.168.137.2
        Framed-IP-Netmask = 255.255.255.0
测试通过,再测试:
# radtest powerlift ilovelinux localhost 0 testing123
返回:
Sending Access-Request of id 15 to 127.0.0.1 port 1812
        User-Name = "powerlift"
        User-Password = "ilovelinux"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=15, length=39
        Reply-Message = "Hello, powerlift!"
测试通过。

5)配置radiusd用mysql来认证。先在mysql里面创建数据库:
# /usr/local/mysql/bin/mysqladmin -u root -p create radius
# cd /home/zyq/tempfile/OpenSER_ins/AAA/freeradius-1.1.4/doc/examples
# /usr/local/mysql/bin/mysql -u root -p radius < mysql.sql

6) 编辑 radiusd.conf 使其支持mysql认证;
# vi /usr/local/etc/raddb/radiusd.conf
authorize {
preprocess
chap
mschap
suffix
sql
...
}
accounting {
...
sql
...
}

7) 编辑 sql.conf ,使radius可以访问mysql
# vi /usr/local/etc/raddb/sql.conf
sql {
driver = "rlm_sql_mysql"
server = "localhost"
login = "root"
password = "mysql的密码"
radius_db = "radius"
// 剩下的配置就默认吧 (如果您要做用户帐号/网卡MAC/电话号码绑定之类的东西,那就例外,可以改下面的配置)
}

8) 向数据库里增加一些数据;
# /usr/local/mysql/bin/mysql -u root -p radius
先加入一些组信息:
insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local');
insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type','=','Framed-User');
insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask','=','255.255.255.255');
insert into radgroupcheck (groupname, attribute, op, value) values ("user", "Auth-Type", ":=", "Local");
然后加入用户信息:
insert into radcheck (username,attribute,op,value) values ('zyq','User-Password','==','12345678');
然后把用户加到组里:
insert into usergroup(username,groupname) values('zyq','user');

9) 为了让radius能正确地调用mysql,还要指定一下库的位置:
# echo /usr/lib >> /etc/ld.so.conf
# echo /usr/local/lib >> /etc/ld.so.conf
# echo /opt/lapmcp/apmc/lib >> /etc/ld.so.conf
# ldconfig

10) 测试freeradius+mysql:
# radtest zyq 12345678 localhost 0 testing123
收到:
Sending Access-Request of id 146 to 127.0.0.1 port 1812
        User-Name = "zyq"
        User-Password = "12345678"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=146, length=32
        Service-Type = Framed-User
        Framed-IP-Netmask = 255.255.255.255
      
===================================
安装radius-client:
~# tar xvfz radiusclient-ng-X.Y.Z.tar.gz
~# cd radiusclient-ng-X.Y.Z
~# ./configure
~# make
~# make install

安装OpenSER with freeradius:
检查mysql.h及libmysqlclient.so等是否就位
将libmysqlclient.so、libmysqlclient.so.15、libmysqlclient_r.so及libmysqlclient_r.so.15从/usr/local/mysql/lib/mysql下cp到/usr/lib下
mysql.h在/usr/local/mysql/include/mysql下,如果mysql不是标准安装则把mysql目录cp到/usr/local/include下

编译安装OpenSER:
~> tar xzvf openser-1.1.0_src.tar.gz
~> cd openser-1.1.0
~> vi modules/acc/Makefile
将以下两行前的注释去掉:
DEFS+=-DRAD_ACC -I$(LOCALBASE)/include
LIBS=-L$(LOCALBASE)/lib -lradiusclient-ng
~> vi Makefile
exclude_modules?=               jabber cpl-c pa mysql postgres osp unixodbc /
                                              avp_radius auth_radius group_radius uri_radius
注释掉第二行,删除第一行的mysql
~> NICER=1 make all
~> make install

完了后在/usr/local/sbin下面会生成
openser,openserctl,openserunix,openser_mysql.sh这四个文件
用openser_mysql.sh create创建数据库:
~> openser_mysql.sh create
MySql password for root:                               //mysql的密码
Domain (realm) for the default user 'admin':           //直接回车
       creating database openser ...
Install SERWEB tables ?(y/n):y                         //按y然后回车
Domain (realm) for the default user 'admin':           //直接回车
       creating serweb tables into openser ...
     
修改openser的配置文件/usr/local/etc/openser/openser.cfg
接着修改相同目录下的openserctlrc

此时用openserctl start/stop已经可以启动/关闭openser了

===============================================

配置openser with freeradius:
1)生成OpenSER RADIUS Dictionary
~# cp /usr/local/etc/openser/dictionary.radius /usr/local/etc/radiusclient-ng/dictionary.openser
~# vi /usr/local/etc/radiusclient-ng/dictionary.openser
用以下内容替换原有的:
#### Attributes ###
#ATTRIBUTE User-Name                 1 string     # RFC2865
#ATTRIBUTE Service-Type                 6 integer    # RFC2865
#ATTRIBUTE Called-Station-Id             30 string     # RFC2865, acc
#ATTRIBUTE Calling-Station-Id            31 string     # RFC2865, acc
#ATTRIBUTE Acct-Status-Type              40 integer    # RFC2865, acc
#ATTRIBUTE Acct-Session-Id               44 string     # RFC2865, acc
ATTRIBUTE Sip-Method                   101 integer    # Schulzrinne, acc
ATTRIBUTE Sip-Response-Code            102 integer    # Schulzrinne, acc
ATTRIBUTE Sip-Cseq                     103 string     # Schulzrinne, acc
ATTRIBUTE Sip-To-Tag                   104 string     # Schulzrinne, acc
ATTRIBUTE Sip-From-Tag                 105 string     # Schulzrinne, acc
ATTRIBUTE Sip-Translated-Request-URI   107 string     # Proprietary, acc
ATTRIBUTE Sip-Src-IP                   108 string     # Proprietary, acc
ATTRIBUTE Sip-Src-Port                 109 string     # Proprietary, acc
ATTRIBUTE Digest-Response      206 string     # Sterman, auth_radius
ATTRIBUTE Sip-Uri-User         208 string     # Proprietary, auth_radius
ATTRIBUTE Sip-Group            211 string     # Proprietary, group_radius
ATTRIBUTE Sip-Rpid             213 string     # Proprietary, auth_radius
ATTRIBUTE SIP-AVP              225 string     # Proprietary, avp_radius
ATTRIBUTE Digest-Realm                1063 string     # Sterman, auth_radius
ATTRIBUTE Digest-Nonce                1064 string     # Sterman, auth_radius
ATTRIBUTE Digest-Method               1065 string     # Sterman, auth_radius
ATTRIBUTE Digest-URI                  1066 string     # Sterman, auth_radius
ATTRIBUTE Digest-QOP                  1067 string     # Sterman, auth_radius
ATTRIBUTE Digest-Algorithm            1068 string     # Sterman, auth_radius
ATTRIBUTE Digest-Body-Digest          1069 string     # Sterman, auth_radius
ATTRIBUTE Digest-CNonce               1070 string     # Sterman, auth_radius
ATTRIBUTE Digest-Nonce-Count          1071 string     # Sterman, auth_radius
ATTRIBUTE Digest-User-Name            1072 string     # Sterman, auth_radius

~# cd /usr/local/etc/raddb
~# vi clients.conf
加入以下内容:
client 192.168.137.2 {
   secret       = testing123
   shortname   = openser
}
~# vi radiusd.conf
在modules {下面找到digest,去掉注释,默认已去掉
在authorize {和authenticate {下去掉digest的注释,保存退出
~# vi /usr/local/etc/raddb/dictionary
加入下面这行:
$INCLUDE /usr/local/etc/radiusclient-ng/dictionary.openser

~# vi /usr/local/etc/raddb/users
在最后加入以下内容:
### --- avps ---
101@192.168.137.2 Auth-Type := Accept, Service-Type == "SIP-Callee-AVPs"
   Sip-Avp += "#3#1",
   Sip-Avp += "#4:08:00",
   Sip-Avp += "#5:16:00",
   Sip-Avp += "#6:Mon,Wed,Thu,Fri"

102@192.168.137.2 Auth-Type := Accept, Service-Type == "SIP-Callee-AVPs"
   Sip-Avp += "#3#1",
   Sip-Avp += "#4:08:00",
   Sip-Avp += "#5:16:00",
   Sip-Avp += "#6:Mon,Wed,Thu,Free"

DEFAULT Auth-Type := Accept, Service-Type == "SIP-Callee-AVPs"

### --- group checking ---
### --- user 101 ---
101@192.168.137.2 Auth-Type := Accept, Sip-Group == "voip", Service-Type == "Group-Check"
   Reply-Message = "Authorized"

101@192.168.137.2 Auth-Type := Accept, Sip-Group == "pstn", Service-Type == "Group-Check"
   Reply-Message = "Authorized"

### --- user 102 ---
102@192.168.137.2 Auth-Type := Accept, Sip-Group == "voip", Service-Type == "Group-Check"
   Reply-Message = "Authorized"

DEFAULT Auth-Type := Reject, Service-Type == "Group-Check"

### --- user authentication ---
101@192.168.137.2 Auth-Type := Digest, User-Password == "101"
   Reply-Message = "Authenticated",
   Sip-Avp += "rpid:101",
   Sip-Avp += "#2:192.168.137.1",
   Sip-Avp += "#2:192.168.137.11"

102@192.168.137.2 Auth-Type := Digest, User-Password == "102"
   Reply-Message = "Authenticated",
   Sip-Avp += "rpid:102",
   Sip-Avp += "#2:192.168.137.1"

================================================

配置RadiusClient-ng :
~# vi /usr/local/etc/radiusclient-ng/radiusclient.conf
将以下localhost改成服务器地址:
...
authserver      localhost
...
acctserver      localhost
...

~# vi /usr/local/etc/radiusclient-ng/servers
加入服务器地址和secret的对应
192.168.137.2   testing123

~# vi /usr/local/etc/radiusclient-ng/dictionary
加入下面这行:
$INCLUDE /usr/local/etc/radiusclient-ng/dictionary.openser

~# vi /usr/local/etc/raddb/users
加入测试Digest的数据:
test Auth-Type := Digest, User-Password == "test"
   Reply-Message = "Hello, test with digest"
测试:
~# /usr/local/sbin/radiusd -X
新开一个终端,按下面来做:
Create a file named “digest” and put following in it, all in a single line:

...
User-Name = "test", Digest-Response = "631d6d73147add2f9e437f59bbc3aeb7",
Digest-Realm = "testrealm", Digest-Nonce = "1234abcd" ,
Digest-Method = "INVITE", Digest-URI = "sip:5555551212@example.com",
Digest-Algorithm = "MD5", Digest-User-Name = "test"
...

Use “radclient” for testing the server. It is assumed that you run “radclient” on OpenSER system. You have to install it there, since this tool comes with FreeRADIUS server.

...
radclient -f digest 192.168.137.2 auth testing123
...

In case of correct response from the server, you should see something like:

...
Received response ID 224, code 2, length = 45
        Reply-Message = "Hello, test with digest"
...

=======================================================

配置OpenSER:
~# vi /usr/local/etc/openser/openser.cfg
见附件。

CDR位于"var/log/radius/radacct/"

--------------------------------
Debug:
1、不能load libradius-ng.so.2:
在环境变量中加入LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib

2、1.0.0以上版本中已经没有modparam ( " auth_radius " , " rpid_old_compat " , 1 )

3、the syntax of avp parameters for avpops modules has changed. Please see:

http://openser.org/dokuwiki/doku.php?id=migrating_openser_v1.0.x_to_v1.1.x

For example, in your case:

avp_write("$ruri", "i:10"); => avp_write("$ruri", "$avp(i:10)");

4、ERROR: acc: can't get code for the Sip-Method attribute
Did you include dictionary.ser into your main libradiusclient dictionary?

5、ERROR: tcp_init: bind on 127.0.0.1
在ser.cfg中加入listen=udp:192.168.137.5

6、raddb下创建digest文件,里面加入各个用户的信息;
打开freeradius的mysql支持,在radiusd.conf中把sql注释去掉就支持了,users文件就不起作用了;
在acc的配置文件基础上加入radius-acc计费,再参照ser下台湾人配置的认证文档,加入radius认证;
关键在于radius_www_authorize,只要它在,就用radius来认证,否则就用本机来认证
在用radius认证的情况下acc中也会有cdr,证明cdr的产生跟subscriber无关。

mysql -uroot -p123456 radius

insert into radgroupreply (GroupName,Attribute,op,Value) values ('user','Auth-Type',':=','Local');
insert into radgroupreply (GroupName,Attribute,op,value) values ('user','Service-Type',':=','Framed-User');
insert into radgroupreply (GroupName,Attribute,op,value) values ('user','Framed-IP-Address',':=','255.255.255.254');
insert into radgroupreply (GroupName,Attribute,op,value) values ('user','Framed-IP-Netmask',':=','255.255.255.0');

insert into radcheck (UserName,Attribute,op,Value) values ('8001@192.168.137.2','User-Password','==','1111');
insert into radcheck (UserName,Attribute,op,Value) values ('8001@192.168.137.2','Auth-Type',':=','Digest');
insert into radcheck (UserName,Attribute,op,Value) values ('8002@192.168.137.2','User-Password','==','1111');
insert into radcheck (UserName,Attribute,op,Value) values ('8002@192.168.137.2','Auth-Type',':=','Digest');

cnbird2008
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
Build SIP-based VOIP Service With RADIUS AAA Using Kamailio (OpenSER) And FreeRadius
RTC hacker
10-18 2347
<br />Table of Contents1. Overview2. The architecture of the VoIP service3. FreeRadius Installation4. OpenSER Installation4.1. RadiusClient-ng library installation4.2. OpenSER installation from sources4.3. OpenSER RADIUS Dictionary5. FreeRadius configurati
openwisp-radius:Django和python中用于freeradius 3的管理Web界面和REST API。支持强制门户认证,WPA Enerprise(802.1x),freeradius rlm_rest,社交登录,Hotspot 2.0 802.11u,从CSV导入用户,新用户注册等
03-21
开放半径 OpenWISP RADIUS提供了一个通往数据库的Web界面,一个丰富的并具有, ,, ,等功能。 它可以用作独立的应用程序,也可以与其他集成。它也可以用作此。
linux open***2.05实现radius认证笔记
weixin_33695082的博客
05-11 169
基于linux Open×××的技术类文章很少 一般来说都是基于windows下的 常常认证Open×××用的大多都是证书,本人认为证书虽然很安全但是却不方便。现在我来配置下利用linux open***2.05实现radius认证 Radius的认证工具很多 windowsActiveDirectory或WinRadius 我就用来WinRadiu...
架设基于FreeRADIUS带有认证计费功能的Open***
weixin_33834075的博客
01-19 770
一、文档预习    在查看下面博文之前,请大家先预览一下我前几篇关于Open***的部署,一遍与大家更好的了解:    搭建基于证书认证登录的Open***服务器    搭建基于用户密码认证的Open***    使用MySQL验证Open***用户登录访问二、FreeRadius简介    RADIUS认证服务器(Remote Authentication Dial In User Servic...
radios访问外网
weixin_45116475的博客
07-01 1473
接着上一篇所讲,上一篇使用的是Windows身份验证,这次我们使用Radius验证访问 首先打开服务器管理器 在内网服务器上添加网络策略和访问服务 安装 打开网络策略服务器 新建radius客户端 配置连接请求策略 配置网络策略 配置完成后,需要在×××服务器上配置更改为radius验证登录 最后客户端验证登录访问××× ...
Centos6.2+Open***+Radius+Mysql+daloRADIUS
weixin_33826268的博客
12-24 160
Centos6.2+Open***+Radius+Mysql+daloRADIUShttp://www.cactifans.org/***/615.htmlOpen×××是不同于PPTP、L2TP的另一种×××软件包,基于SSL的×××。Open×××使用需要客户端支持。OS:CentOS6.2I386Open***:open***-2.2.1-1.el6.i686R...
freeRadius设置任意账号密码认证通过
weixin_30561425的博客
12-06 1354
[root@wifi_radiusdproxy_16 raddb]# cat users # # Please read the documentation file ../doc/processing_users_file, # or 'man 5 users' (after installing the server) for more information. # ...
使用OpenSER构建电话通信系统.docx
11-21
OpenSER】是一个开源的SIP(Session Initiation Protocol)服务器,用于构建电话通信系统,特别是在VoIP(Voice over Internet Protocol)领域。SIP是一种应用层协议,由IETF(Internet Engineering Task Force)...
使用OpenSER构建电话通信系统
08-01
"使用OpenSER构建电话通信系统" 基于 OpenSER 构建的电话通信系统需要了解 SIP 协议的基本概念和工作原理。SIP(Session Initiation Protocol)是一种应用层协议,用于建立、修改和终止会话或多媒体通话。它是 VoIP...
OpenSER构建电话通信系统
01-08
会话初始化协议是互联网工程任务组(IETF)制定的协议标准,在多个RFC(Request for Comments)文档中被进行了描述说明。RFC3261是最近的一个RFC,一般称它为SIP版本2。SIP是一个应用层的协议,用来建立,修改,终止...
openser配置PDF
03-06
openser的配置说明,包括注册,认证,NAT穿越,计费(freeradius和cdrtool的安装与配置).
openwisp-users:为OpenWISP实现用户管理和多租户
02-04
openwisp-users:为OpenWISP实现用户管理和多租户
RADIUS指南(下:实战)
coldljy的专栏
08-17 3905
1 FreeRadius1.1 安装环境RHEL AS4 准备安装包 MySQL在http://dev.mysql.com/ 下载 FreeRadius 在http://www.freeradius.org/ 下载 安装 如果是源文件包先解开、进行配置,然后编译再安装 步骤: tar –xzvf xxxx.tar.gz 进入到解开后的源代码
在CentOS 7 上搭建ocserv
Zzz's Blog
09-09 1835
ocserv 是一个 OpenConnect SSL VPN 协议服务端,0.3.0 版后兼容使用 AnyConnect SSL VPN 协议的终端。官方主页。ocserv 已经在 epel 仓库中提供了,所以可以直接通过 yum 安装安装 ocserv。
openeuler 安装 openguass
最新发布
weixin_63143011的博客
05-26 158
(如果遇到没有执行install.sh权限的提示,切换为root用户登录,重新执行一次。解压openGauss压缩包到安装目录。(4) 创建安装目录,数据目录。(5) 安装openGauss。
freeradius在深信服AF中检测失败的解决方法
wu_huashan的专栏
10-08 2004
深信服下一代防火墙支持LDAP、POP3、radius等做账号验证,在实际使用中,建立的freeradius服务器,在深信服的GUI中,我测试过用21cn和qq的POP3服务器做账号验证登陆上网都比较好用,但用radius做服务器验证的时候,需要5-6秒以上才显示验证成功!理论上应该是1秒就验证成功。
freeradius安装配置
redwingz的博客
06-05 4925
开源radius服务端软件freeradius,在Ubuntu 16.10 server版上的安装命令:sudo apt-get install freeradius配置文件目录位于/etc/freeradius/3.0/中。首先修改users认证用户配置文件,查找 steve Cleartext-Password :="testing" (73行), 取消该行的注释。另外为测试方便,可在文件的末...
RADIUS协议原理介绍+报文分析+配置指导-RFC2865/RFC2866
fengxingzhe008的博客
09-19 7361
史上最全面的RADIUS协议介绍,AAA协议,RADIUS的认证,授权和计费,RFC2865/RFC2866/RFC5176文档简介,RADIUS应用案例。
RADIUS实验(802.1x)
phoenix1415的博客
09-26 1931
802.1x认证过程详解-使用EAP-PEAP+EAP-MACHSPv2认证

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值